IT Security 101: Prevent Weak Passwords

Ethical Hacking Boot Camp

Our most popular course!

Skillset

Passwords have been part of IT since long before the age of the desktop PC. However, now more than ever, systems administrators need to re-examine their password security policies to remain effective against modern programs and computers that can crack weak passwords in minutes.

Basic eight-character passwords can now be cracked by consumer password recovery software in well under an hour. More experienced hackers armed with rainbow tables and other free tools can crack 14-character passwords – including alpha-numeric passwords with special characters – in less than three minutes. To stay one step ahead, systems administrators must encourage users to adopt longer, stronger passphrases.

Adding numeric characters to a password and creating a passphrase – more of a sequence of words like “IamtheKeeper0fthi$Computer!” – can significantly increase the time needed by the best cracking software, running on the latest multi-processor machine, to the point where brute force hacking of passphrases becomes impractical.

Systems administrators must also mandate that users update their passphrases on a regular basis. These updates can provide some measure of protection should a passphrase ever be compromised – say, in a hotel, an airport, or even at home on a work laptop. It’s also advisable to configure rules to prevent users from cycling through old, previously used passphrases. Best practices stipulate setting passphrases to expire within 60 days or less, and require minimum length, minimum age, and the use of special characters.

Okay, but what about the less obvious rules?

For Windows users, systems administrators should set the Group Policy to disable LANMan hashes. LANMan hashes are notoriously easy to crack using brute force methods or rainbow tables with a pre-computed list of hashes. The policy for this is located under \computer configuration\windows settings\security settings\local policies\security options\network security, It can be configured by changing the setting to ’do not store LAN manager has value on network password change = ENABLED.’

It’s also prudent to set a minimum passphrase length of 15 characters, as this is the critical length where, regardless of other policies, LANMan hashes cannot exist in Windows systems.

Systems administrators should also set all in-built administrator accounts (e.g. administrator, root, sa, sys, etc.) to have frequently updated passphrases that are unique to each account. This practice breaks the peer-to-peer model of the Windows network and ensures that a breach of one system’s administrator password does not lead to the compromise of any other systems.

Also keep in mind that there are scenarios – such as restarting the computer in safe-mode – when disabled administrator accounts can be re-activated without user intervention. Therefore it’s essential to continuously audit all “super user” accounts in such a way that unusual activity is quickly discovered and remediated.

Fortunately, privileged identity management products are available to help you continuously track, secure and audit the “super user” credentials required for administrator logins, application-to-application transactions and highly privileged services.

What specific tips can you give end users?

Don’t include easily-guessed information in your passwords such as birthdays or family and pet names. Also, don’t use easily guessed words or common words such as `password’ and simply replace characters such as “a” with an “@” or “o” with a zero. Hackers know this strategy and their software knows it too.

Don’t use the same passphrase for multiple logins – and in particular don’t mix personal passphrases with business ones. Keep everything separate so that even if one account is compromised, the rest are secure.

Never give anyone – including IT staff – your password. If a systems administrator truly needs your passphrase, change it before disclosing it, then change it back when he is done with his work. And make sure you’re present while they’re using your account.

And then there are the not-so-obvious tips…

Even when logging onto websites, use passphrases that are 15 characters long whenever allowed. This can help protect your account on sites whose administrators may not be protecting stored passphrases by disabling vulnerable hashing algorithms.

Don’t allow browsers to store your passphrases for you, because not all browsers store your logins in a secure fashion.

Lastly, never configure a computer to automatically log you on. If your system is configured for auto-logon, Windows may actually store your passphrase in clear text within the registry of the system in one or more well-known locations. This mistake can give even the most amateurish of hackers access to your system and knowledge of your passphrase – a dangerous combination.

Conclusions

Effective password security is often said to be a “state of mind,” and I’ve heard words such as “holistic” used to describe the process.

In truth, all that is needed to create a more secure IT environment is the right set of automated building blocks – security policies – that are enforced by automated systems, audited and reviewed to account for current and future security threats. This decreases the likelihood of any security weaknesses being overlooked, and increases the odds of you being alerted to any unusual activity.

What are your strategies for eliminating weak passwords? Visit the Identity Week blog to keep track of current news and trends in IT security.

Chris Stoneff oversees product management, quality assurance and technical support at Lieberman Software, and is responsible for meeting the real-world needs of the company’s customers. With over 15 years of systems administration, consulting, training, and product management experience, Mr. Stoneff is instrumental in guiding the development of the Lieberman Software products portfolio. An accomplished consultant and technical trainer, he has taught thousands of administrators on fundamental and advanced concepts of Windows management and security concepts and key technologies.

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam